Secure Messaging Authentication Ceremonies Are Broken

Amir Herzberg, Hemi Leibowitz, Kent Seamons, Elham Vaziripour, Justin Wu, Daniel Zappala

Research output: Contribution to journalArticlepeer-review

2 Scopus citations


People who use secure messaging apps are vulnerable to a hacked or malicious server unless they manually complete an authentication ceremony. In this article, we describe the usability challenges of the authentication ceremony and research to improve it. We conclude with recommendations for service providers and directions for research.

Original languageEnglish
Article number9303352
Pages (from-to)29-37
Number of pages9
JournalIEEE Security and Privacy
Issue number2
StatePublished - 1 Mar 2021
Externally publishedYes

Bibliographical note

Funding Information:
3. Use textual representations of key fingerprints. use when obtaining a certificate, and likewise would allow While this creates extra work for developers, this Alice to choose which authorities to trust when querying will make it significantly easier for users to com-keys. Such a system would need some method of audit-pare fingerprints and thus more likely that they will ing authorities to detect misbehavior, as discussed above. perform the ceremony when needed. Users have Research would be needed to develop usable methods consistently complained about numeric represen-for issuing certificates to users at scale, including cover-tations, so developers should heed their concerns. ing situations where a phone is lost or software is rein-The user interface could allow users to fall back to a stalled. Significant development and user testing would numeric representations if they do not understand also be needed to verify that this kind of system would be the textual one. feasible. Finally, coordinating such a standardization and deployment effort among service providers is a daunting If a major provider would push such improvements, challenge. Providers may not be enthusiastic about del-this could set the bar for the rest of the providers. The egating this operation outside of their control, since they success of such a push would rest on how well an appli-are thriving while having built a “walled garden” in which cation could help users to understand the risks they face their app serves only their users. and the benefits of these changes in preventing attacks. Any solution for improving secure messaging appli-It may be possible to use gamification to encourage cations, such as those proposed above, carries with it users to use the ceremony. We note that some games fundamental tradeoffs. The framework developed by have offered incentives for users to adopt two-factor Unger et al.3 provides a useful way to reason about these authentication, so a straightforward rewards approach tradeoffs in terms of achievable properties, which could could reap benefits. then be verified with user testing. We call for providers We especially call attention to the reality that not all to work with researchers in developing detection and users have the same risk profile. Users who are at risk prevention mechanisms that would meet their needs have compelling needs for heightened security.13,14 and protect users. Likewise, residents of countries without strong rights for free speech are regularly at risk when communicat- ing with friends and family. Service providers should e close with the hope that service providers rec-at a minimum focus on helping these groups of users, Wognize the importance of truth in advertising. since their app can cause significant harm for these End-to-end encryption only provides protection from users if they are victims of an attack. active attackers if users authenticate each other. Appli-We also advise the research community to investi-cation providers should ensure their users are aware that gate methods for automatically detecting and prevent-secure messaging applications are currently only secure ing key substitution attacks, which could eliminate if they trust the application provider or if they take addi-the need for the authentication ceremony. A likely tional steps to authenticate. Since users generally do not approach for detecting attacks is to deploy a system use the authentication ceremony, even when warned that audits key servers run by service providers. Simi-about a key change, trust-on-first-use has essentially lar to Certificate Transparency for the web, CONIKS15 devolved to simply always trusting the service provider. and Google’s Key Transparency system could be used Trusting service providers may be appropriate for much to verify that key servers advertise a consistent public of the general public, but those at risk should be guided key for each user. Research is still needed to demon-toward learning how to authenticate. strate how to integrate this type of system with a secure messaging app and to design a user interface that helps Acknowledgments users understand the consequences of an attack and Amir Herzberg was partially supported by an endow-take appropriate action. Moreover, while this approach ment from the Comcast Corporation. Kent Seamons helps service providers offer better assurances for their and Daniel Zappala are supported in part by the National users, it still requires significant deployment effort and Science Foundation grant CNS-1816929. The opin-only provides detection of attacks. ions expressed in the article are those of the research-Solutions that can prevent key substitution attacks ers themselves and not of their universities or sources are both more useful and more difficult to develop. One of funding. possible approach is to establish a system for issuing cer- tificates to users to certify their public keys. Such a public References system could allow Alice to learn Bob’s public key without 1. A. Whitten andJ.D.Tygar,“WhyJohnny can’tencrypt: A relying on or trusting the service provider. Further, such usability evaluation of PGP 5.0,” in Proc. 8th USENIX Secu- an open system would allow Bob to choose which CA to rity Symp., 1999, pp. 169–184.

Publisher Copyright:
© 2003-2012 IEEE.


Dive into the research topics of 'Secure Messaging Authentication Ceremonies Are Broken'. Together they form a unique fingerprint.

Cite this